Analysis

  • max time kernel
    142s
  • max time network
    149s
  • platform
    windows7_x64
  • resource
    win7-20230831-en
  • resource tags

    arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
  • submitted
    12/10/2023, 17:44

General

  • Target

    NEAS.0bb3ccf16acce19c0425f1c837584820_JC.exe

  • Size

    391KB

  • MD5

    0bb3ccf16acce19c0425f1c837584820

  • SHA1

    255c5bb5f807465f426853a89a38c3a588294fc8

  • SHA256

    28360f99c2a7c863c49863527a1754dd0efcf343f50d41afc1f8e050b7cedff3

  • SHA512

    e39c95f171b07e406c0360b138abefb6b5d62b3df04d9c0cdab53a934613d0ecb7e4663de32e3cb04dc33bc08439d37fc932f7beca0b6dfff079e5c843fbaf11

  • SSDEEP

    6144:dC4umWphVf4j27zo1zK4f+dP9+xCOwTdzi1IcX45yV4:H9WphJx7kzlfUFGwTdnyVu

Score
10/10

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Drops file in System32 directory 3 IoCs
  • Drops file in Program Files directory 58 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\NEAS.0bb3ccf16acce19c0425f1c837584820_JC.exe
    "C:\Users\Admin\AppData\Local\Temp\NEAS.0bb3ccf16acce19c0425f1c837584820_JC.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Drops file in System32 directory
    • Drops file in Program Files directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2820
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c reg ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v WinIcons /t REG_SZ /d C:\Windows\system32\winicons.exe /f
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1036
      • C:\Windows\SysWOW64\reg.exe
        reg ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v WinIcons /t REG_SZ /d C:\Windows\system32\winicons.exe /f
        3⤵
        • Adds Run key to start application
        PID:2312

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\SysWOW64\sychost.exe

    Filesize

    391KB

    MD5

    0bb3ccf16acce19c0425f1c837584820

    SHA1

    255c5bb5f807465f426853a89a38c3a588294fc8

    SHA256

    28360f99c2a7c863c49863527a1754dd0efcf343f50d41afc1f8e050b7cedff3

    SHA512

    e39c95f171b07e406c0360b138abefb6b5d62b3df04d9c0cdab53a934613d0ecb7e4663de32e3cb04dc33bc08439d37fc932f7beca0b6dfff079e5c843fbaf11

  • C:\log.txt

    Filesize

    75B

    MD5

    1444e1fadcf84e3139a68d80fd726655

    SHA1

    fe53320b67cbe4aa42f9fa8982f1362827ace2b3

    SHA256

    259fb6155a222e667506d97495cdf724766f422f3d870be966a34bdf29d98593

    SHA512

    1856c487f24e60d7fcb8559a8ebba58ea2a4d4a7d8cc466d6d13bd684551e8e256300629044d862c4e4a72bfbdf5f2382a42d1504952632f05af10b4c79b616f

  • memory/2820-66-0x0000000000400000-0x0000000000412000-memory.dmp

    Filesize

    72KB

  • memory/2820-67-0x0000000000400000-0x0000000000412000-memory.dmp

    Filesize

    72KB

  • memory/2820-68-0x0000000000400000-0x0000000000412000-memory.dmp

    Filesize

    72KB

  • memory/2820-71-0x0000000000400000-0x0000000000412000-memory.dmp

    Filesize

    72KB

  • memory/2820-85-0x0000000000400000-0x0000000000412000-memory.dmp

    Filesize

    72KB

  • memory/2820-86-0x0000000000400000-0x0000000000412000-memory.dmp

    Filesize

    72KB

  • memory/2820-88-0x0000000000400000-0x0000000000412000-memory.dmp

    Filesize

    72KB

  • memory/2820-91-0x0000000000400000-0x0000000000412000-memory.dmp

    Filesize

    72KB

  • memory/2820-92-0x0000000000400000-0x0000000000412000-memory.dmp

    Filesize

    72KB

  • memory/2820-93-0x0000000000400000-0x0000000000412000-memory.dmp

    Filesize

    72KB

  • memory/2820-94-0x0000000000400000-0x0000000000412000-memory.dmp

    Filesize

    72KB